Messages

1

23.1 Legacy Series / Re: Restrict OpenVPN Client pipe to specific subnet

« on: July 17, 2023, 07:10:04 pm »

Ok, I've made progress. So I created a firewall alias for every private IP range on the far end of the VPN. I then changed the default lan rule to do a reverse destination match on that alias, and that seems to have blocked it.
So, my current need is solved, but I do feel like this is an area of improvement in the product. The OpenVPN Client interface should get auto-populated as a gateway for traffic it's responsible for routing, and then rules about things heading to that gateway could be made. That would be way more intuitive. This solution works, but every time we add or change a subnet on the VPN, every other system will auto-update, but I'll need to remember to change the alias on this one.

2

23.1 Legacy Series / Re: Restrict OpenVPN Client pipe to specific subnet

« on: July 17, 2023, 12:11:42 am »

So, still nothing has worked. Interestingly, I looked at the firewall logs, and if I have an SSH session from my workstation to a server on the other end of the OpenVPN tunnel, here's what I see in sessions:
An outbound connection from my workstation with no gateway IP to the remote server,'s private IP, and an inbound connection between the same two IPs, again with no gateway, being allowed by "let anything out by the firewall host itself"
Do I need to micromanage and make a rule for every remote private IP and block those subnets individually in rules? I assume the lack of a gateway is because the routes are getting established dynamically from the OpenVPN Client, which honestly I prefer. But it feels strange that I don't see the OpenVPN Client interface I defined in this exchange anywhere, even though that's clearly the route it's taking.

3

23.1 Legacy Series / Re: Restrict OpenVPN Client pipe to specific subnet

« on: July 14, 2023, 02:57:06 pm »

The aliases trick I haven't tried yet, so I'll do that. I was using LAN_net for the alias, which I would think would be the same thing?

4

23.1 Legacy Series / Restrict OpenVPN Client pipe to specific subnet

« on: July 13, 2023, 10:52:40 pm »

Background: My company uses OpenVPN Connect (now called CloudConnexa), and I have my OpnSense using OpenVPN Client to connect to it, so that every work system doesn't have to run a separate client locally. The VPN is a split-tunnel, so only traffic going to our AWS VPC uses the VPN.

I have split my home office on one /25 and the rest of the house on another /25 with the hope of restricting access to the OpenVPN Client to just the office /25 versus the entire house. I have added an opt2 interface to the ovpnc entry as someone suggested originally on Reddit, but no firewall rules I try seem to be stopping LAN traffic from finding its way to the VPN.

Has anyone here ever done anything like this and can give pointers on what kind of firewall rule I need where to do it? Thanks!